ntoskrnl.exe High CPU Process — Step-by-Step Fix and BSOD Crash Guide By Will Wisser Posted on October 25, 2025 4 min read 0 8 1. Introduction ntoskrnl.exe is the core of Windows. It schedules threads, manages memory, handles I/O, and brokers interrupts. When Task Manager shows “System” or “System Interrupts” pegging a CPU core and tools trace that load back to ntoskrnl.exe, the kernel is rarely the root cause. In practice, misbehaving drivers, firmware, or hardware push the kernel into heavy work (DPC/ISR activity, memory paging, or I/O thrashing), which surfaces as “NT Kernel & System” high CPU. This tutorial walks you through fast triage, then deeper, reproducible diagnostics using built-in tools and free Microsoft utilities. A dedicated section covers ntoskrnl.exe BSOD analysis and fixes. 2. Quick Triage (5–10 minutes) Reboot cleanly to clear stuck DPC/ISR loops. After restart, wait 2–3 minutes and re-check CPU. Safe Mode check: Press Win + R → msconfig → Boot → check Safe boot → Network. If CPU normalizes in Safe Mode, a third-party driver or service is likely at fault. Windows Update: Install pending updates and reboot. Kernel, stack, and driver fixes land here first. Device Security → Memory Integrity: Temporarily toggle Core isolation > Memory integrity off to test for legacy driver issues. Reboot and re-check. Turn it back on after testing. Malware baseline: Run Microsoft Defender Full scan. If anything’s found, remediate before continuing. 3. Prerequisites for Deep Dive Administrator rights Sysinternals tools: Process Explorer, Process Monitor (optional) Windows Performance Recorder/Analyzer (WPR/WPA) — part of Windows ADK WinDbg (Preview) from Microsoft Store (for BSOD section) Optional: PoolMon from Windows Driver Kit (for driver memory leaks) 4. Step-by-Step Guide to Fix ntoskrnl.exe High CPU 4.1 Identify where the CPU time is spent Task Manager → Processes: If “System” or “System interrupts” is high, proceed. Process Explorer (run as Admin): View > Show Kernel Times. Expand System → System Interrupts and watch CPU and Threads. Note spikes. Resource Monitor → CPU tab: Look at Services and Associated Handles for drivers/services being exercised. 4.2 Capture a short CPU trace (WPR/WPA) When repro is easy (e.g., CPU spikes after waking from sleep or when using network/disk), take an ETL trace: Open an elevated Command Prompt and start a light trace: wpr -start CPU -onoffscenario CPU Reproduce the spike for ~30–60 seconds, then stop: wpr -stop "%USERPROFILE%\Desktop\ntoskrnl_highcpu.etl" Open the ETL in Windows Performance Analyzer. Inspect: Computation → CPU Usage (Sampled): Look for a hot module (e.g., ndis.sys, storport.sys, dxgkrnl.sys, vendor .sys files). Interrupts → DPC/ISR: High DPC/ISR time indicates a driver/firmware/device issue. Interpretation rule of thumb: If most samples are under ntoskrnl.exe but the stack points into a device driver (e.g., rt640x64.sys for Realtek NIC), that driver is your focus. 4.3 Update or roll back the offending driver Chipset first: Install the latest Intel/AMD chipset package for your platform. Then peripherals: Storage (SATA/AHCI, NVMe), network (Intel/Realtek/Killer), GPU (NVIDIA/AMD/Intel), Bluetooth/Wi-Fi, audio (Realtek). Prefer OEM packages over generic Windows ones. If the spike started after a recent driver update, roll back via Device Manager > Driver > Roll Back Driver. 4.4 Eliminate power/firmware triggers Power plan: Use Balanced. Under Advanced power settings: PCI Express > Link State Power Management → Off (test). USB selective suspend → Disabled (test with USB spikes). BIOS/UEFI: Update to the latest stable version. Disable overclocks; test with XMP off. C-States/AMD CPPC: If latency-sensitive drivers misbehave, test toggling CPU power features in firmware (document your defaults). 4.5 Check for kernel memory leaks (PoolMon) Run poolmon.exe as Admin → Press P for Paged or Nonpaged, B to sort by Bytes. Watch which Tag grows over time. Use pooltag.txt (WDK) to map tags to drivers or search the tag in \Windows\System32\drivers with: findstr /m /s TAG C:\Windows\System32\drivers\*.sys Update/replace the mapped driver. 4.6 System file and image health sfc /scannow DISM /Online /Cleanup-Image /RestoreHealth chkdsk C: /f Run chkdsk on next reboot if prompted. File system or component store damage can push the kernel into heavy error handling. 4.7 Security and filter drivers AV/EDR, VPN, disk encryption, and USB control software install file system/network filter drivers that sit on hot paths. Temporarily uninstall or disable them to A/B test CPU load (reboot between changes). Ensure you reinstall or re-enable protections when finished. 4.8 Last resort: Driver Verifier (advanced) Warning: Driver Verifier intentionally stresses drivers and can trigger BSODs. Create a restore point and ensure you know how to boot to Safe Mode. Open elevated CMD: verifier /standard /all Reboot and reproduce. If a BSOD occurs, capture the minidump (see BSOD section) to identify the bad driver. Turn it off: verifier /reset 5. Validate the Fix Re-run your workload for 10–15 minutes and watch System/System Interrupts in Task Manager & Process Explorer. Optional: capture a second WPR trace and compare DPC/ISR and hot modules to confirm regression. Check Event Viewer > Windows Logs > System for new warnings (Disk, Ntfs, WHEA-Logger). 6. Security Hardening & Prevention Keep chipset, storage, network, and GPU drivers current (from OEM support pages). Prefer WHQL-signed drivers; avoid beta releases on production systems. Re-enable Core isolation > Memory integrity after resolving legacy driver issues. Scan periodically with Microsoft Defender or a reputable antimalware tool. Avoid USB devices and hubs with questionable firmware; update device firmware when offered by the vendor. 7. ntoskrnl.exe BSOD (Blue Screen) “System Crash” Guide When a blue screen lists ntoskrnl.exe, it typically means the kernel caught a fatal exception caused by a driver or hardware. The kernel is the messenger, not the perpetrator. 7.1 Typical bug checks you may see IRQL_NOT_LESS_OR_EQUAL (0xA) — bad driver memory access at high IRQL PAGE_FAULT_IN_NONPAGED_AREA (0x50) — invalid memory reference KMODE_EXCEPTION_NOT_HANDLED (0x1E), SYSTEM_SERVICE_EXCEPTION (0x3B) DRIVER_POWER_STATE_FAILURE (0x9F) — power transition timeout (sleep/hibernate) UNEXPECTED_KERNEL_MODE_TRAP (0x7F), APC_INDEX_MISMATCH (0x1) CRITICAL_PROCESS_DIED (0xEF) — often storage/memory/AV filters 7.2 Collect and read the crash dump Ensure minidumps are enabled: System Properties > Advanced > Startup and Recovery → Write debugging information: Small memory dump (256 KB). Dumps are saved in C:\Windows\Minidump. Open the latest *.dmp in WinDbg (Preview): .symfix .reload !analyze -v lm kv Look for the Probably caused by line and any third-party driver near the top of the call stack. Alternative quick views: NirSoft BlueScreenView or Resplendence WhoCrashed (read-only viewers). 7.3 Fixes by symptom Power/sleep BSODs (0x9F): Update Intel/AMD chipset & Intel RST/AMD storage, GPU, and network/Wi-Fi drivers. In power plan, test disabling PCIe Link State Power Management. Check device Power Management tab and uncheck “Allow the computer to turn off this device” for the problematic adapter. Memory access BSODs (0xA, 0x50, 0x1E, 0x3B): Run memory tests: mdsched.exe For deeper coverage, run MemTest86 from a USB stick. Remove overclocks/XMP temporarily. Storage/file system BSODs: Update NVMe/SATA drivers and firmware; check disk and system files: chkdsk C: /f sfc /scannow DISM /Online /Cleanup-Image /RestoreHealth WHEA hardware errors: In Event Viewer, WHEA-Logger events (e.g., ID 18) point to CPU/PCIe/GPU instability. Return clocks to stock, update BIOS/UEFI, confirm adequate cooling and PSU headroom. Security/AV filter issues: Temporarily uninstall third-party AV/EDR/VPN and storage filters to test. Reinstall latest versions after confirming stability. 7.4 If BSODs persist Run Driver Verifier with standard settings against non-Microsoft drivers to flush out faulty code (see section 4.8). Capture and analyze the resulting dump to identify the exact driver. Consider an in-place upgrade repair of Windows to refresh the OS while keeping apps/data. Escalate to hardware diagnostics: CPU (Prime95 small FFT), RAM (MemTest86), GPU (vendor stress test), storage SMART/diagnostics (CrystalDiskInfo/vendor tools). 8. Conclusion High CPU under ntoskrnl.exe is a symptom, not a cause. Use WPR/WPA to pinpoint the misbehaving driver or device, update or roll it back, and validate with a second trace. For kernel-tagged blue screens, minidump analysis with WinDbg will usually identify the offending third-party module. Keep firmware, chipset, and core drivers current, and re-enable security hardening once legacy drivers are replaced. 10. FAQ Is ntoskrnl.exe a virus?Is ntoskrnl.exe a virus?No. It’s the Windows NT kernel, normally located in C:\Windows\System32. If a process with the same name runs from any other folder, treat it as suspicious and scan your system. Why does Task Manager show high CPU for System or System Interrupts?Why does Task Manager show high CPU for System or System Interrupts?Because the kernel is busy handling driver work (DPC/ISR), storage or network I/O, or memory pressure. The kernel is the messenger; a third-party driver or faulty device is usually responsible. Which drivers most commonly cause ntoskrnl.exe high CPU?Which drivers most commonly cause ntoskrnl.exe high CPU?Network (NDIS), storage (storport/NVMe/SATA/AHCI), GPU (dxgkrnl path), audio, and filter drivers from AV/EDR, VPNs, or encryption tools. Outdated chipset drivers also contribute. Will reinstalling Windows fix ntoskrnl.exe issues?Will reinstalling Windows fix ntoskrnl.exe issues?It can mask the problem temporarily. If the root cause is a driver, firmware, or hardware defect, the issue returns. Diagnose with WPR/WPA and WinDbg to pinpoint the offending component first. How do I read a BSOD blaming ntoskrnl.exe?How do I read a BSOD blaming ntoskrnl.exe?Open the minidump in WinDbg (Preview), run !analyze -v, then inspect the stack (kv) and loaded modules (lm) to find the third-party driver implicated near the crash point. Update or replace that driver. Is it safe to use Driver Verifier?Is it safe to use Driver Verifier?Yes for experienced users, but it’s disruptive. It stresses drivers and may force a BSOD to expose a faulty one. Create a restore point, know how to boot into Safe Mode, and disable it with ‘verifier /reset’ when done.
Cerber ransomware evolution The abnormally rapid progress of the crypto ransomware industry over the past several years …